DSAccess for Exchange

by William BoswellAddison-Wesley Professional, Copyright 2004

In this tip from "15 tips in 15 minutes: Managing recipients and distribution lists," you'll discover the importance of the Exchange service DSAccess and how it works with the DNS, Global Catalog servers, and domain controllers.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Configuration information for the organization. Exchange stores server parameters, mailbox and public folder store parameters, public folder hierarchy, tool parameters, and much more in the Configuration naming context of Active Directory.

Recipient information in the Global Catalog. Exchange and Outlook need access to a Global Catalog server to expand group memberships for mail-enabled groups, to obtain address lists such as the GAL, and to obtain recipient information necessary for message handling and routing.

Recipient information in a domain. If Exchange can get the information it needs about a recipient from a standard domain controller in its own domain rather than a Global Catalog server, it will do so. This reduces load on the Global Catalog servers.

An Exchange service called DSAccess has the task of finding domain controllers and Global Catalog servers suitable for use by Exchange. Think of DSAccess as a nightclub owner who books stage talent. It applies a series of tests, the details of which you'll see in a minute, to determine which servers it wants to use. It then selects up to ten domain controllers and ten Global Catalog servers and puts them in a local DSAccess profile. It also selects one domain controller to use for a configuration server. This avoids replication latency issues.

Figure 5.20 Diagram of DSAccess selection based on location. (Click on image for enlarged view.)

DSAccess keeps an open connection to each server in the DSAccess profile. This avoids the expensive chore of building up and tearing down RPC and TCP connections each time the Exchange server needs information.

Other Exchange services, such as the SMTP Routing Engine Categorizer and DSProxy, send their LDAP and NSPI requests to DSAccess, which selects a target domain controller or Global Catalog server from its profile and forwards the request to that server. It uses a round robin selection process for load balancing.

Because all LDAP queries funnel through DSAccess, Exchange dramatically improves performance by caching the query results. By default, Exchange gives 4MB of physical memory to the DSAccess cache.

Global Catalog advertising and DSAccess

DSAccess uses DNS to locate domain controllers and Global Catalog servers. Figure 5.21 shows an example DNS zone with three GC SRV records located in the _msdcs.dc.gc._tcp folder. Active Directory domain controllers also place copies of these SRV records into individual site folders underneath the _msdcs.dc.gc._sites folder. By looking in the folder corresponding to its own Active Directory site, DSAccess can locate local Global Catalog servers.

When you configure a domain controller to be a Global Catalog server, the server must replicate the Domain naming contexts from the other domains before it can answer Global Catalog lookup requests authoritatively. Once a newly promoted Global Catalog server has replicated all domain naming contexts, it places an SRV record in DNS that "advertises" itself as available. You can verify the status of the Global Catalog promotion in several ways:

Look for an Event log entry saying that the GC promotion has completed (Figure 5.22 shows an example).

Look for a Registry entry called HKLM -> System -> CurrentControlSet -> Services -> NTDS -> Parameters -> Global Catalog Promotion Complete (shown in Figure 5.23.) and verify that the value is set to 1.

Dump the RootDSE contents using the LDAP Browser (LDP) from the Windows Server 2003 Support Tools and look for the isGlobalCatalogReady attribute set to TRUE.

Use the Nltest utility that comes in the Windows Server 2003 Support Tools. The following example shows that the server running Nltest was able to find a Global Catalog server in its local site (Phoenix) in its domain (Company.com):

Use the Netdiag utility that comes in the Windows Server 2003 Support Tools. The following example shows that the server running Netdiag was able to enumerate all domain controllers, it was able to find a domain controller in the local site (W2K3-S1), and it was unable to contact one of the domain controllers (W2K3-S9):

DSAccess performs a series of tests to determine the suitability of a domain controller or Global Catalog server. The first tests determine whether the domain controller or Global Catalog server can respond to Exchange queries:

Reachability. The server must respond to an LDAP bind request on TCP port 389 for domain controllers and TCP port 3268 for Global Catalog servers.

Replication current flag. DSAccess checks RootDSE on the domain controller to verify that the isSynchronized attribute shows TRUE.

Server functional test (Netlogon). In this somewhat time-consuming test, DSAccess makes an RPC connection to the Netlogon service at the domain controller and then checks available disk space, time synchronization, and whether the server participates in replication. You can disable this test for front-end servers in front of firewalls. See Chapter 11, "Deploying a Distibuted Architecture," for details.

Operating system version. Exchange 2003 requires that all domain controllers used by DSAccess run at least Windows 2000 SP3 or higher.

Domain Exchange-Ready. DSAccess looks to see if the Exchange Enterprise Servers group has Manage Auditing and Security Log permissions on the domain controller. This verifies that an administrator has run DomainPrep in the domain and that the changes have replicated to the target domain controller.

The Exchange Support Tools (free download from Microsoft) contains a utility called Policytest that runs the same test as DSAccess to verify that DomainPrep has fully replicated to all domain controllers. It checks to see if the Exchange Enterprise Servers group has been granted the Manage Auditing And Security Logs privilege on each domain controller. You'll need Domain Admin rights to run Policytest. Here's a sample listing for three domain controllers:

All things being equal, DSAccess uses round robin to share load among domain controllers and Global Catalog servers. The final checks determine if a Global Catalog server can actually give authoritative answers to queries. DSAccess verifies the following:

Global Catalog attribute in the NTDS Settings object for the server set to TRUE

Correct number of naming contexts

Viewing DSAccess selection results

Once DSAccess selects its domain controllers and Global Catalog servers, you can view the results in ESM by opening the Properties window for an Exchange server and then selecting the Directory Access tab, as shown in Figure 5.24.

If you change the selection in the Show dropdown list from All Domain Controllers to one of the other selection options, you can uncheck Automatically Discover Servers and manually select a server or servers for that operation. If you select servers manually, include more than one for fault tolerance. DSAccess does not dynamically select a server if it cannot contact any of the statically configured servers.

Event log entries for DSAccess selection results

If you enable diagnostic logging for DSAccess in the server Properties window in ESM and set the logging level to Medium, you will see a log entry Event ID 2080 from the MSExchangeDSAccess showing the result of the DSAccess evaluation. Figure 5.25 demonstrates an example.

The evaluation includes 10 tests. It's difficult to see in the Event Properties window, but the test results are displayed as columns. You can click the Copy to Clipboard button and paste the result into Notepad if you want a clearer layout. The first column, Server Name, lists the server's Fully Qualified Domain Name (FQDN). Here's a brief description of the content under each column. For more details, see Microsoft Knowledge Base article 316300.

Reachability. DSAccess uses a numerical system to show whether it can connect to a server via TCP. A successful connection to a Global Catalog server is represented with a 1, 2 means a successful connection to a domain controller, 4 means a successful connection to a configuration domain controller, and 7 means the sum of the first three.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy